Every corporation has a different corporate policy when it comes to what applications can be used over the web—what can and cannot be accessed on the company’s network and what websites are deemed work appropriate. For example, many financial firms do not allow mobile phones, personal email and other seemingly innocent activities or devices as they have the potential to be used for fraud, embezzlement or data leakage.
On the other hand, maybe your work environment is much more laissez-faire with these policies, and browsing the Internet and using your phone at work are not seen as jeopardizing factors.
Whatever your corporate policy, when it comes to network security to prevent data leakage it is essential that employees adhere by the rules. A recent survey that Cisco commissioned from InsightExpress asked IT personnel about the common mistakes employees make that result in data leakage. The survey found that 70 percent of IT professionals believed the use of unauthorized applications resulted in as many as half of a company’s data loss, while 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of the company’s network or facility.
Even when security policies are in place, whether malicious or not, people still circumvent corporate policies. So, how can you as a network engineer or IT personnel help to create a more secure network to prevent data leakage caused by misuse of policies? Here a few common hot areas that are often circumvented by employees along with some practices and tools you can use to ensure that data stays secure.
Using Mobile Devices at Work
Many businesses have deployed Wi-Fi, with the initial intention of supporting IT-issued laptops. The growing trend of BYOD shows that employees are increasingly trying to add their mobile devices, like tablets, to the corporate Wi-Fi. Using mobile devices might be allowed at your office, however it is important to realize that most mobile devices don’t allow for corporate controls. If you allow BYOD on the same network as your corporate-controlled equipment, there is a possible data hygiene violation: untrusted equipment, even if operated by well-intentioned users, is running on your trusted network.
In addition, if an employee invites a friend over and provides him or her with the Wi-Fi password, you may get rogue mobile devices – untrusted devices with untrusted users -that could affect your overall network. Apart from the obvious danger of an unauthorized user, there are less obvious issues, like malware which could jump to internal devices with the specific goal of giving access to an attacker.
BYOD requires a balance between easily allowing authorized users to get on the network, plus securely keeping unauthorized users off. A common first step is a dedicated BYOD or guest wireless network, but additional steps include 802.1x or WPA2 Enterprise to perform per-user authentication, or even supplementing passwords with device certificates.
Given that there are political and technical issues with managing BYOD devices directly, network analyzers are a great choice. The network perspective lets you apply controls to the data that’s carried without requiring device-based agents. Network analyzers also can help you find the rogue users and take you directly to where the source lies at your office to either enforce the mobile policy or to kick the user off the network.
Accessing Inappropriate Areas of the Web
The challenge of enforcing corporate standards in accessing the Web is also well-served by a network-based solution. Network-level controls can be device-agnostic and comprehensive, since they focus on what data is delivered rather than what the user is doing.
The “classic” method is using a network proxy. Proxy support is built-in for every major browser and OS, including automatic proxy detection. It is also possible to set up a transparent proxy, which requires no browser or OS support. The upside with a proxy is that it gives you as an administrator a great deal of control, as well as some bandwidth reduction due to local caching. The downside with a proxy is that it may not be fast enough to keep up with the demand for traffic, causing unhappy users.
Another method is web filtering on a Deep Packet Inspection (DPI) hardware device, like a firewall. The DPI box can observe and intercept the web requests, much like a transparent proxy. The upside with DPI hardware is that there should not be a speed impact – your mileage may vary – and the downside is a combination of cost and control. It can be difficult to justify the cost of a DPI appliance just for web filtering, but the feature is becoming more common in enterprise-class firewalls, so you may already have such a device in production, which makes it a no-cost solution. The other downside is that web filtering is not generally a primary feature of these devices, so the quality of enforcement set-up and monitoring can vary greatly.
A method which has gotten more attention lately is cloud-based enforcement. At WildPackets, we use a DNS-based web filtering service. There are also web filtering services which are available as part of “clean pipe” services. These services vary in terms of cost and delivery method, but it should be worth your time to do some initial analysis whether they make sense for your business.
Users can use a couple of different methods to circumvent web filtering. These methods include proxies, browser-in-browser, and VPNs. Fortunately, all of these are straightforward to detect. Proxies and browser-in-browser may be blocked by your web filtering solution. VPNs should show up either as a VPN or a non-standard protocol, both of which are easy to identify.
When these user bypass methods aren’t blocked or obvious, they hide as web traffic, either http or https. Here, the key is to find the traffic pattern. Since the bypass works by forwarding all web traffic through a remote server, the user’s computer will only have remote connections to the bypass server, but there will be a lot of traffic from that user to that server! If you find either large flows from a user, or a user connecting only to one external address, those are indications of web filtering bypass.
Overall Data Leakage Prevention
When employees circumvent policies, the possibility for data leakage—whether purposeful or not—can arise. To prevent this, new data leakage prevention (DLP) tools are available on the market.
This technology allows users to inspect network traffic for the purpose of determining whether or not sensitive data is being transmitted in ways that violate corporate policy. It uses deep packet inspection (DPI), and requires both an inline appliance and analysis of both the header and payload information. Often based on keyword rules, DLP systems analyze each packet for rule violations, only saving metadata when violations are detected. DLP systems are far from foolproof, and require detailed knowledge of typical network traffic patterns and constant adjustment to reduce false alarms while keeping data secure.
If you are considering deploying a DLP solution, consider using a packet analyzer as a test case. Use keyword filters with alerts to test what a DLP system might find, and how much tuning it might take to keep the results relevant. The experience will give you lots of questions to ask a potential DLP vendor, and help you narrow down your choices quickly.
Adhering to corporate policies as they relate to the network is essential to security. However, employees often violate these policies and fail to understand why such rules are put in place. There are easy steps to find these users and work with them to follow the policies to ensure that data leakage or other security risks do not become a problem for your network.